Created
July 24, 2020 20:56
-
-
Save kaparora/bf1f704345edc5345e56b57d3e5ec023 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
# Send the log output from this script to user-data.log, syslog, and the console | |
# From: https://alestic.com/2010/12/ec2-user-data-output/ | |
exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 | |
sudo apt update && sudo apt install -y unzip jq | |
VAULT_ZIP="vault.zip" | |
VAULT_URL="https://releases.hashicorp.com/vault/1.4.3+ent/vault_1.4.3+ent_linux_amd64.zip" | |
curl --silent --output /tmp/$${VAULT_ZIP} $${VAULT_URL} | |
unzip -o /tmp/$${VAULT_ZIP} -d /usr/local/bin/ | |
chmod 0755 /usr/local/bin/vault | |
chown azureuser:azureuser /usr/local/bin/vault | |
mkdir -pm 0755 /etc/vault.d | |
mkdir -pm 0755 /opt/vault | |
chown azureuser:azureuser /opt/vault | |
export VAULT_ADDR=http://127.0.0.1:8200 | |
cat << EOF > /lib/systemd/system/vault.service | |
[Unit] | |
Description=Vault Agent | |
Requires=network-online.target | |
After=network-online.target | |
[Service] | |
Restart=on-failure | |
PermissionsStartOnly=true | |
ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault | |
ExecStart=/usr/local/bin/vault server -config /etc/vault.d/config.hcl | |
ExecReload=/bin/kill -HUP $MAINPID | |
KillSignal=SIGTERM | |
User=azureuser | |
Group=azureuser | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
cat << EOF > /etc/vault.d/config.hcl | |
storage "file" { | |
path = "/opt/vault" | |
} | |
listener "tcp" { | |
address = "0.0.0.0:8200" | |
tls_disable = 1 | |
} | |
seal "azurekeyvault" { | |
client_id = "${client_id}" | |
client_secret = "${client_secret}" | |
tenant_id = "${tenant_id}" | |
vault_name = "${vault_name}" | |
key_name = "${key_name}" | |
} | |
ui=true | |
disable_mlock = true | |
EOF | |
sudo chmod 0664 /lib/systemd/system/vault.service | |
systemctl daemon-reload | |
sudo chown -R azureuser:azureuser /etc/vault.d | |
sudo chmod -R 0644 /etc/vault.d/* | |
cat << EOF > /etc/profile.d/vault.sh | |
export VAULT_ADDR=http://127.0.0.1:8200 | |
export VAULT_SKIP_VERIFY=true | |
EOF | |
systemctl enable vault | |
systemctl start vault |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment